MikroTik Tutorial: How to enable DNS over HTTPS (DoH)

MikroTik Tutorial: How to enable DNS over HTTPS (DoH)

In this MikroTik Tutorial I will show you how to configure DNS over HTTPS on your MikroTik router using either Cloudflare DNS servers or Google DNS servers.

The latest stable version of RouterOS 6.47 adds support for DNS over HTTPS or DoH. DoH is a protocol for performing remote DNS over HTTPS protocol. It is similar to DoT (DNS over TLS) but not exactly the same.

DNS Queries over HTTPS (DoH) is an accept IETF standard RFC8484.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks[1] by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver.

Wikipedia DoH page

UPDATE: RouterOS v6.47 was released to the stable channel on June 2nd 2020 with DNS over HTTPS support. I used a RB4011 router running RouterOS v6.47beta60 during testing. You will see 6.47beta60 referenced in the screenshot below but I recommend using the stable channel.

Steps to Configure DNS over HTTPS on a MikroTik Router

Time needed: 2 minutes

  1. Upgrade to RouterOS v6.47 available in the stable channel.

    System | Packages | Check for Updates

  2. Download and Import root certificates

    /tool fetch url=https://curl.haxx.se/ca/cacert.pem
    /certificate import file-name=cacert.pem passphrase=””
    Root CA certificates

  3. Remove DNS Servers

    In winbox open IP | DNS, remove existing Servers

  4. Add a static DNS entry for the DoH hostname.

    IP | DNS | Static | +
    Add 2 Static DNS Entries for cloudflare-dns.com to Address: 104.16.248.249 and 104.16.249.249.
    If you plan on using Google add dns.google pointing to 8.8.8.8 and 8.8.4.4.

  5. Add providers url to “Use DoH Server” and check the box “Verify DoH Certificate”

    For cloudflare I added https://cloudflare-dns.com/dns-query

Verify that DoH is enabled and working

Cloudflare has provided a simple web status page at https://1.1.1.1/help to verify that you have configured DNS over HTTPS properly.

Configure Cloudflare DNS over HTTPS resolver

The resolver url for Cloudflare is https://cloudflare-dns.com/dns-query as show in the screenshot above.

Configure Google’s DNS over HTTPS resolver

The resolver url for Google is https://dns.google/dns-query as show in the screenshot below.

Error Messages & Troubleshooting

dns, error DoH server connection error: SSL: handshake failed: unable to get local issuer certificate (6)

This error is a result of not having root certificates installed to validate the https certificate of the DNS server url.

dns, error DoH server connection error: resolving error

This error is a result of entering only an IP address in the Use DoH Server field. It should be entered as a https:// url.

Enable DNS debug logging

Another way to see what is going on with dns queries on your MikroTik router is to enable DNS logging.

Verify DoH is working with Torch

To verify that DoH is configured and working run torch on your WAN interface and verify you see no udp or tcp connections to DNS port 53. In my configuration to cloudflare I can see multiple https connection to 1.1.1.1.

Now you have DNS over HTTPS configured on your MikroTik Router. I hope you have enjoyed this howto article, you can find many more MikroTik Tutorials here.

Did this work for you? Let me know in the comments section below.

More MikroTik Articles

61 Replies to “MikroTik Tutorial: How to enable DNS over HTTPS (DoH)”

      1. not work, nextdns always error connecting, it says “doh server connection error: resolving error” so i decide to set it DNS over tls, and work charm via vps

          1. yeah its work but, how about configuration inside nextdns link over https? i test it and mikrotik log always says “DoH server connection error, resolving error. “, about 1 minutes after apply dns. just test it with your config inside nextdns. and see what wrong with that

          2. You were able to get it to work with the FQDN? I had to use the resolved IP + my configuration url to get it to work with NextDNS.

    1. I found a solution to this: If you leave at least one regular DNS Server IP in the DNS configuration, rOS will use it to perform a regular lookup on the configured DoH FQDN, then switches everything after that to DoH. This also seems to fix the “DoH server connection error: resolving error” message in the logs.

      1. Thank you, this is also a viable option! In my testing, if DoH resolution fails it does not fallback to tradition DNS queries (Which is a good thing). It appears to only use the specified (traditional) name server to resolve the hostname in the DoH url.

  1. Thank you for great tutorial!
    I think that not all root certificates are needed. If you go to “https://1.1.1.1/” it is issued for “cloudflare-dns.com”
    – That is issued by “DigiCert ECC Secure Server CA”
    – And it is issued by “DigiCert”
    – Would it be possible to share tutorial to import just required certificate?

      1. Thank you for great starting point. I have done it this way:
        1. First get certs from the source
        openssl s_client -connect 1.1.1.1:443 -showcerts
        2. Copy BEGIN CERTIFICATE section, save it to TXT, rename to CRT and double click
        3. Do not import it on Windows. Go to Certification Path tab.
        Select topmost(root) certificate and click View Certificate – Details tab – Select Serial number. Copy and paste Serial number to Notepad. Add double dots to SN.
        4. Find SN on https://www.digicert.com/digicert-root-certificates.htm and copy link from “Download PEM”
        5. On router use this link for /tool fetch url= and Import it
        6. Repeat from 3 and download second(intermediate) certificate.

    1. I do not see a way that you can add a second provider but it may be possible to monitor and swap out providers with MikroTik Scripting.

      I have not tested DoH over IPv6 but I would also love to know the answer.

  2. Google DoH does not work via IP addr, it’s rejecting.
    Use FQDN in conjunction with DNS record instead.

    1. Yes, you right, but my RB750Gr3 had a load of up to 80% CPU with this certificate. With certificate which are given in article work fine, 1-3% CPU load. Really not understand why.

  3. Hello, thank you for this tutorial. Everything is working nicely, but after rebooting router, DNS settings DOH is lost…my hw is hAP ac2.

  4. I would also add that “Allow Remote Requests” should be disabled for security reasons.
    – But in this case it must be enabled, otherwise only router itself will be able to use DoH.
    – Solution might be to firewall port 53(DNS) on input chain from WAN port.
    – Let me know if you know better solution.
    ip firewall filter add action=drop chain=input dst-port=53 protocol=udp
    ip firewall filter add action=drop chain=input dst-port=53 protocol=tcp

    1. Better is allow for input chain only what you need and reject (or drop) everything else:
      add action=accept chain=input comment=”Accept established, related” connection-state=established,related
      add action=accept chain=input comment=”Accept all from LAN” in-interface-list=LAN
      add action=accept chain=input comment=”Accept ICMP” protocol=icmp
      add action=reject chain=input comment=”Reject everything else” reject-with=icmp-admin-prohibited

  5. Simple DoH setup:
    /tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
    /certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””
    /ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

  6. Regarding DigiCert Global Root CA, you can also just export it from 1.1.1.1 website. Any website will have the certification path and all the certs in it anyway.

  7. are there IPv6 addresses for cloudflare-dns.com available? I’d like to have IPv4 and IPv6 available if possible

    1. cloudflare-dns.com@1.1.1.1 (CloudFlare):
      cloudflare-dns.com.	80	IN	AAAA	2606:4700::6810:f9f9
      cloudflare-dns.com.	80	IN	AAAA	2606:4700::6810:f8f9
  8. had issue in log
    DoH Server Connection error : remote disconnected while in http exchange

    is there any solution of this ?

  9. sometimes “DoH server connection error, idle time out – connecting” after a few hour so i cant connect internet for 1-3 seconds. how to solve this thanks

    1. Apparently you can use it until it expire (e.g. DigiCert Global Root CA for 1.1.1.1 is valid until: 10/Nov/2031). Then you import new certificate with new expiry date.

  10. I tried with the instruction but it didn’t work for me. Not sure what went wrong. I tested it remotely by creating PPTP remote user. When I torch on to that PPTP interface I found DNS request are hitting on 53 port. Any advice?

  11. i got this error: DoH server connection error: SSL: handshake failed: unable to get certificate CRL (6) i already installed the certifitate, no luck

  12. I am using google DoH. But, it’s giving me errors sometimes DoH server connection error: connection timeout. The same thing happened with cloudflare.

    1. I cannot reproduce this error but I would suggest you increase Mac Concurrent Queries and Max Concurrent TCP Sessions under IP | DNS settings and monitor. Let everyone know if that works.

  13. Seems like without any modification it’s working after a couple of reboots and dns flash. Will wait for the next power failure to occur and see what happens. Thank you for replying.

  14. Dear Concern,
    I have successfully configured the system. It is showing me Verify that DoH is enabled and working. When I am torching WAN interface it is not showing me 1.1.1.1:443(http) rather showing me 1.1.1.1:53(dns). I dont know why it is happening. Is it any config error? Please let me know what to do if I want to solve the issue.

  15. Dear JC ,Your tutorial is fantastic.It was very easy to setup. I have configured IPV4 and IPV6 static DNS of Cloudfare and rest as per your document. IPv4 is working fine but I have issue with IPV6 DNS resolution.I am getting IPv6 address but If i ping any ipv6 domain i am getting Error,so please help.

    [admin@DOH DNS Server] > ping 2001:4860:4860::8888
    SEQ HOST SIZE TTL TIME STATUS
    0 2001:4860:4860::8888 56 119 57ms echo reply
    1 2001:4860:4860::8888 56 119 39ms echo reply
    2 2001:4860:4860::8888 56 119 44ms echo reply
    sent=3 received=3 packet-loss=0% min-rtt=39ms avg-rtt=46ms max-rtt=57ms

    [admin@DOH DNS Server] > ping v6.facebook.com
    invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: name does not exist

  16. Thanks for the article. As a father I wanted to take advantage of the family filtering. I used the following setup:

    /tool fetch url=”https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem”
    /certificate import file-name=DigiCertGlobalRootCA.crt.pem

    /ip dns static add address=104.16.248.249 regexp=”.+\\.cloudflare-dns\\.com” type=A
    /ip dns static add address=104.16.249.249 regexp=”.+\\.cloudflare-dns\\.com” type=A

    /ip dns set allow-remote-requests=yes max-concurrent-queries=200 use-doh-server=https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes

    The static DNS entries use regex to match any subdomain of cloudflare-dns.com. You can then use the following URL’s depending on the filtering requirements you need:

    https://cloudflare-dns.com/dns-query = 1.1.1.1 = Standard
    https://security.cloudflare-dns.com/dns-query = 1.1.1.2 = No Malware
    https://family.cloudflare-dns.com/dns-query = 1.1.1.3 = No Malware + No Adult Content

    The URL’s can be found here: https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https

  17. I want to first use a local dns server as a dns black hole blocking tracking and some advertisements and all adult websites, including pornography and gambling. Then perform DNS over HTTPS so that only the provider of my DoH can see my traffic. Can this be done?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.